Cybersecurity recruiting is a national problem because of a shortage of talent, said U.S. House lawmakers at a hearing Thursday. But the federal government is facing some specific difficulties in hiring because of a damaged "brand" as an employer, said one witness.
The hearing on cybersecurity workforce shortages, held by the Committee on Homeland Security subcommittee on Cybersecurity, Infrastructure Protection and Innovation, came in response to recent high-profile ransomware attacks, such as those on the Colonial Pipeline and the water treatment facility in Oldsmar, Fla.
"The truth is, the number of trained cybersecurity professionals has not increased to the levels necessary to meet the demand from industry and government," said Yvette Clarke, D-N.Y., chair of the cybersecurity subcommittee.
Those testifying at the hearing estimated the national cybersecurity recruiting shortage ranged from 460,000 to more than 500,000, affecting businesses and government. Most of the expert testimony pointed to a skills shortage as a reason for the hiring gap and stressed the need for more funding to support various cybersecurity education training and apprenticeship programs.
But a skills shortage is only part of the story, especially for the federal government where cybersecurity recruiting is particularly acute, said Max Stier, president and CEO of the Partnership for Public Service. The nonprofit, nonpartisan group works with government officials to improve workforce management.
Cybersecurity recruiting fail
Only 6% of federal cybersecurity workers are under age 30, Stier said. "It's just extraordinary -- there's no generational diversity."
Young people don't want to work for the government, said Stier, who testified before the committee.
Stier said the "government's brand is damaged," blaming government shutdowns, hiring freezes, negative rhetoric and political interference in science as some of the reasons for this.
Max StierPresident and CEO, Partnership for Public Service
But some other problems with government cybersecurity recruiting are HR-related, including a lengthy hiring process that can take "100 days-plus to hire people," Stier said.
"Government rarely gets talent coming in that is young, bluntly," he said.
The federal government also struggles to retain younger employees, according to Stier. Of the people under 30 hired, three-quarters of them are leaving within two years, he said.
"If you do everything right on the front end and you don't address the retention issue, you actually don't solve the problem," Stier said.
Hearing witnesses made it clear that the difficulty in meeting national cybersecurity needs, both in the government and private sector, is escalating.
"The problem has not been getting better; it has been getting worse," Tony Coulson, executive director of the Cybersecurity Center at California State University, San Bernardino, said at the hearing.
Patrick Thibodeau covers HCM and ERP technologies. He's worked for more than two decades as an enterprise IT reporter.